arrowrat | b559413c43d76b67e8b068c842a0a615b04d6d687be860e18da1adc43dfe5b5e | Triage

Submit
Reports

Overview

overview

Static

static

7

Emiditor.exe

windows7-x64

9

Emiditor.exe

windows10-2004-x64

Sharing

General

Target

Emiditor.exe
Size

8.1MB
Sample

221127-wtfgascd7s
MD5

e08805d6085d6402dcaeb253e4375a09
SHA1

2c79a1203c135aa1a7d5fbed566c94983278b40c
SHA256

b559413c43d76b67e8b068c842a0a615b04d6d687be860e18da1adc43dfe5b5e
SHA512

517d723f46c11a10eb303d655ffca77b1bc3f863450208e659cfea70276f15a7d921d52c04597d035faebb7278e66ff55bbb45b451568f11bc176650bd149db9
SSDEEP

98304:iFBz9bmxmtOfP7TI/OKIdSOwSmGrjvvLYq5dkcDNckgHDJHZt:qBzQxmtOfzsWKgwS1jvvH5uFHn

Score

10^/10

arrowrat client evasion persistence rat themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Emiditor.exe

Resource

win7-20220812-en

evasion themida trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

Emiditor.exe

Resource

win10v2004-20221111-en

arrowrat client evasion persistence rat themida trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

65.108.204.97:1337

Mutex

PreIzXewwN

Targets

- Target
  
  Emiditor.exe
- Size
  
  8.1MB
- MD5
  
  e08805d6085d6402dcaeb253e4375a09
- SHA1
  
  2c79a1203c135aa1a7d5fbed566c94983278b40c
- SHA256
  
  b559413c43d76b67e8b068c842a0a615b04d6d687be860e18da1adc43dfe5b5e
- SHA512
  
  517d723f46c11a10eb303d655ffca77b1bc3f863450208e659cfea70276f15a7d921d52c04597d035faebb7278e66ff55bbb45b451568f11bc176650bd149db9
- SSDEEP
  
  98304:iFBz9bmxmtOfP7TI/OKIdSOwSmGrjvvLYq5dkcDNckgHDJHZt:qBzQxmtOfzsWKgwS1jvvH5uFHn
Score

10^/10

evasion themida trojan arrowrat client persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies Installed Components in the registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionthemidatrojan

behavioral2

arrowratclientevasionpersistenceratthemidatrojan

© 2018-2024

Terms | Privacy